Re: RFC(v2): Audit Kernel Container IDs
On Monday, December 11, 2017 11:30:57 AM EST Eric Paris wrote:
> Because a container doesn't have to use namespaces to be a
container
> you still need a mechanism for a process to declare that it is in
> fact
> in a container, and to identify the container.
I like the idea but I'm still tossing it around in my head (and
thinking about Casey's statement too). Lets say we have a 'docker-like'
container with pid=100 netns=X,userns=Y,mountns=Z. If I'm on the host
in all init namespaces and I run
nsenter -t 100 -n ip link set eth0 promisc on
How should this be logged?
If it is a normal process, then everything would match the init name space and
you wouldn't have entered a container. If it were a container, any generated
event should have the container ID from registration attached to it.
Did this command run in it's own 'container' unrelated to
the 'docker-like'
container?
That should be determined by what's in the task struct.
-Steve